So, you’re now a Security Control Assessor (SCA)
Elements of Good Audit Practices
There are several activities that will help the security auditor prepare for a formal assessment. It will include such actions as a good Test Readiness Review (TRR), the establishment of Rules of Engagement (ROE), and the employment of a specific (or all) assessment methods available. Being well-prepared for this form of proactive assessment may take the form of a 100% review of all security controls, or a selected percentage, that provides a good picture of a company’s cybersecurity posture.
A TRR is conducted to determine when the IT system under review is ready to proceed into formal assessment and review. This will typically require a designated meeting, either on-site or virtual, that sets the direction of the overall audit and its desired outcomes.
During the pre-phase of any TRR, it requires a decision by the company that its pre- “dry-run” activity of the security controls are as complete as possible. Have the procedures been verified for compliance by the company? Is the effort based upon all required controls? (See Figures 1 and 2 of a sample TRR Checklist)
A TRR provides both the government and company management with assurances that the IT system has undergone a thorough assessment process and is ready to transition to an Independent Validation and Verification (IV&V) phase for audit by the designated security auditors. This is the point where the company has conducted its own review, prepared all required documents, and provided those documents (artifacts) to the audit team.
At this time, the company should have declared its readiness for the audit and the security auditors should have subsequently identified a date and time to conduct its portion of the audit. The audit may be done remotely by employing a thorough documentation review by the audit team off-site. Where appropriate, an on-site assessment may or may not occur, BUT is recommended.
Also, more specifically, if an on-site audit will occur, the audit team will issue “rules of engagement” (ROE) specific to the security assessment event. These established basic rules are provided to avoid confusion and enhance the assessment process.
Several SCA “control language” suggestions directed at the company’s representatives prior to audit:
- All controls are subject to inspection; auditors will not be restricted from accessing portions of the facility or system sub-components directly related to the audit
- The auditor may go beyond documentation review and require demonstration when the control is not clearly answered.
- The company/business is responsible for addressing controls.
The audit team should select some or all the three available assessment methods: examine, interview, or test. “Examine” is the most common and most likely to occur. Examination of documents and artifacts are the easiest and quickest to accomplish. While not as thorough, a “document review” MAY be considered acceptable.
“Interviews” will most likely occur during the normal course of an on-site assessment. This may take the form of open discussion with IT and cybersecurity personnel assigned to address the security controls. Interviews will provide indicators of how well or poorly a company has implemented a security control. It can afford insight needed to make a final and subjective determination between “compliant” and “non-compliant” determinations for the security audit; this is best for determining whether the documentation and the actual physical implementation is complete based upon the company representative’s direct knowledge of the IT environment. The truest and most complete way to know is through the final assessment method: test.
“Test” is the most labor intensive, but most complete way to determine, technically-based controls are fully met. An example might include getting a guest access account, and testing after three failed logins that you are locked out of the system per the company policy. The security auditors will have to determine, based upon available time, whether testing a percentage of these technical controls is needed or warranted[1]; expect that further guidance on the percentage of actual controls the audit team will be required to positively assess either through examination, interviews, or testing.
The most important part of any auditing effort is good planning. It is vital that the auditors establish actions and timelines to improve the overall audit experience not just on the government’s behalf, but for the company. Expect the company and its IT representatives to look to the audit team for clearer guidance as to provide an even better representation of their work.
Furthermore, use the audit as a training opportunity where creating a non-confrontational experience that will serve future audits as a positive, and non-painful event where everyone is better prepared to protect and defend their networks, systems, and data.
[1] Recommend at least 15-20% of the controls are “spot checked.”
Dr. Russo is currently the Senior Data Scientist with Cybersenetinel AI in Washington, DC. He is a former Senior Information Security Engineer within the Department of Defense’s (DOD) F-35 Joint Strike Fighter program. He has an extensive background in cybersecurity and is an expert in the Risk Management Framework (RMF) and DOD Instruction 8510, which implement RMF throughout the DOD and the federal government. He holds a Certified Information Systems Security Professional (CISSP) certification and a CISSP in information security architecture (ISSAP). He has a 2017 Chief Information Security Officer (CISO) certification from the National Defense University, Washington, DC. Dr. Russo retired from the US Army Reserves in 2012 as a Senior Intelligence Officer.
